diff options
author | Joseph Reynolds <jrey@us.ibm.com> | 2018-08-31 05:39:37 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-09-24 21:15:21 +0300 |
commit | 4028f33b111bb4e66493732d9c99f1f6a6fb1744 (patch) | |
tree | 661d70a90bc809b28d859bf35aae8a35d756ed51 /meta-ibm/recipes-httpd/nginx | |
parent | 42ed80522120acd4337f0ae7f33e9fe62e71ff02 (diff) | |
download | openbmc-4028f33b111bb4e66493732d9c99f1f6a6fb1744.tar.xz |
Nginx adds http security headers
Nginx now adds security-related headers to HTTP responses per
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
and consistent with openbmc/bmcweb (see header file
include/security_headers_middleware.hpp).
Tested:
curl -D headers http://${bmc}
redirects to https
No security headers apply, and none are sent
curl https://${bmc}
contains security headers and works properly
curl https://${bmc}/xyz/openbmc_project/software
contains Strict-Transport-Security header, and works
curl ... -X POST -T ${image} https://${bmc}/upload/image"
works
firefox http redirects to https
firefox https://${bmc}/ logs in and works
Resolves openbmc/openbmc#3195
(From meta-ibm rev: 8202b2639cba28a71640db48e38f6b7f1d3eaed0)
Change-Id: Ie20169abbca02471fa5dc89bebba8a6cdf722cd6
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-ibm/recipes-httpd/nginx')
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.conf | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf index 5313f508f..be7faf92f 100644 --- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf @@ -14,6 +14,8 @@ events { # Note that a lot of these settings come from the OWASP Secure # Configuration guide for nginx # https://www.owasp.org/index.php/SCG_WS_nginx +# and the OWASP Secure Headers project +# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project # and the mozilla security guidelines # https://wiki.mozilla.org/Security/Server_Side_TLS @@ -64,6 +66,8 @@ http { ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + location / { # This location lets us serve the static pre-compressed webui # content (rooted at /usr/share/www). Also if the URI points to @@ -80,6 +84,15 @@ http { gunzip on; gzip_static always; try_files $uri $uri/ @rest_server; + + add_header X-Frame-Options deny; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Cache-Control "no-store,no-cache"; + add_header Pragma "no-cache"; + add_header Expires 0; } location @rest_server { # Use 127.0.0.1 instead of localhost since nginx will |